Three years ago, I started giving a presentation called The Human Nature of Security: Pink Elephants, Power Rangers, and the United States Marine Corps. The premise of the presentation was straightforward: the security profession has preached for decades that security is people, process, and technology yet we have continued to neglect the people portion of that triad to our detriment. I then spent some time talking about different aspects of how we were overlooking the human factor and how we might better harness the human element to our benefit. I didn’t think much about this presentation at the time, although there were very few people discussing human factors security in the mainstream back in 2010.
Now, it seems, everywhere I turn there is conversation on the Human Element – and that conversation is becoming more polarized within our community. On one side of the argument are those who would argue that training computer users in security is the equivalent of training a car driver to be a master mechanic; indeed, Bruce Schneier entered the fray on this side of the argument just last week. On the other side of the argument are those who argue that the human factor is vital to our success; ISSA president Ira Winkler has, to date, been the standard bearer of the argument.
I agree with the thesis Mr. Winkler presents in most of his arguments…but not for the reasons Ira puts forth. My reasons tend to be a tad more fundamental. To understand them, let’s take a look at Mr. Schneier’s closing lines from his blog entry on this argument:
If we security engineers do our job right, then users will get their awareness training informally and organically from their colleagues and friends…[t]hen maybe an organization can spend an hour a year reminding their employees what good security means at that organization, both on the computer and off.
...and therein lies the rub. Too many security professionals believe that one hour of mandatory, fluffy, check-the-block lectures constitutes security training. It does not.
In the 2+ decades that I’ve been in this profession, I would submit that we have done little more than pay lip services to the concept of security education, training, and awareness (that multi-faceted SETA thing goes beyond just training, remember? :) ). We have had (and continue to have) difficulty getting the attention of the folks we work for, so we limit our training efforts to the minimum necessary set that is required for compliance. Further, if we can have a third party deliver this training and come up with the material, it makes it easier for us to implement. Since we have more pressing matters to attend to, why pay attention to the content and quality of something that’s not going to be effective anyway, right?
This attitude is not unexpected, nor should it be. Most of us came up geek. People – particularly non-geek people – are riddles wrapped inside of mysteries surrounded my enigmas for many of us. Worse, our collegiate programs require very little of those “fluffy” skills like psychology, sociology, and behavioral science within our engineering educational framework. It is therefore mindboggling and downright bothersome to us when people can’t see the importance of what we are doing and why we are doing it. When folks suggest things such as learning to communicate better and speak the language of the business, many of our brethren complain that we can only “dumb things down” so much without losing the efficacy of the message.
Sound familiar? :)
I recently asked a group of 50 of my peers about their SETA efforts. The results of this informal poll were interesting:
- All 50 members had some type of SETA program in place.
- 38 of those 50 were doing no more than the minimum compliance training required by various regulations.
- Of the remaining 12, 10 were doing training that was geared toward specific roles (such as developers, IT personnel, and managers).
- The remaining 2 individuals had put together comprehensive programs that included multi-faceted training, messaging, and communications that occurred regularly throughout the year and were exercised & measured accordingly.
In other words, only 4% of the sample population had implemented a comprehensive, end-to-end SETA program.
My point, folks, is this: before we dismiss the value of true SETA within an environment, how about we spend time as a profession in understanding, implementing, and measuring the impact of truly, holistic SETA programs within our environments? We are calling failure on a process we have never bothered to truly understand, implement, and embrace as a profession.
Don’t get me wrong, now; all of the arguments re: better engineered and failure-proof technology that the SETA nay-sayers make are still valid. These improvements should be pursued aggressively and passionately. That being said, technology transformation -- even at its most revolutionary -- occurs in years. If I can modify one’s opinion and subsequent behavior even a fraction, can happen in minutes. Modifying that opinion to a more security-oriented one reduces risk to my environment and to the individuals I serve. I don’t need people to understand the intricacies of what I do; I just need them to understand that our decisioning isn’t flippant and (more importantly) that they should alert us if anything they see or experience is out of the norm.
My point, folks, is this: before we dismiss the value of true SETA within an environment, how about we spend time as a profession in understanding, implementing, and measuring the impact of truly, holistic SETA programs within our environments? We are calling failure on a process we have never bothered to truly understand, implement, and embrace as a profession.
Don’t get me wrong, now; all of the arguments re: better engineered and failure-proof technology that the SETA nay-sayers make are still valid. These improvements should be pursued aggressively and passionately. That being said, technology transformation -- even at its most revolutionary -- occurs in years. If I can modify one’s opinion and subsequent behavior even a fraction, can happen in minutes. Modifying that opinion to a more security-oriented one reduces risk to my environment and to the individuals I serve. I don’t need people to understand the intricacies of what I do; I just need them to understand that our decisioning isn’t flippant and (more importantly) that they should alert us if anything they see or experience is out of the norm.
While it mightn't be as sexy as geeking out over code, as a profession I would be hesitant to dismiss the relevance of SETA before truly embracing the training paradigm; learning how to effectively train; and educate; and applying the considerable skills and passion of this profession to the human element.
You might be surprised at the results…
You might be surprised at the results…
Great posting! Thanks for putting this out there.
ReplyDelete